I’ve heard that the best writers draw inspiration from the people around them. Clearly this works for crap writers too, because I totally stole the phrase ‘distracting innovation’ from a friend of mine. So thank you for that Gareth.
I have dedicated the last half of my career to providing my clients the only thing that makes sense to me; an appropriate security program that supports and enables the needs of the business. I have also chosen to predicate the implementation of that program on the following well established cornerstones. In order of importance:
- People – Absolutely no point starting anywhere else, people are always at the top of the food chain. Everything else is secondary to the needs we have, the goals we set, and most importantly in security, the things we do;
- Process – A very generic term for what amounts to the lion’s share of the entire security program. It includes the policy ‘parameters’, the standard ‘baselines’, and the procedural ‘corporate knowledge’. The ‘what’, the ‘with’ and the ‘how’ respectively. It should also include an understanding of every business process mapped all the way down to the individual assets. There is no security, let alone demonstrable compliance to any regulation, without these things;
- Technology – Makes the first 2 exponentially better if, and ONLY if, you get them right from the start. You will never have an appropriate security program without technology, but you will never create one with it.
But this is not what happens in the real world. You have never, and will never see a security product vendor spend 1 penny on a marketing campaign that has the tagline; “We do the basics!“. No, what you’ll see instead is each individual vendor trying to outdo each other with just how many buzz-phases they can use to describe their attempt at an all-singing all-dancing product; “A disruptive, next generation, cloud-based solution based on blockchain that uses artificial intelligence, machine learning, and big-data analytics to automatically detect and prevent advanced persistent threats in real-time…” And so on.
Forget that this is all utter nonsense (especially AI), because it is only designed to feed into the unrealistic desires/fantasies of far too many organisations; i.e. plug something into my network and all my security problems magically disappear. The fact that the vendors are nothing short of lying, and getting away with it, is our fault. We are the ones mesmerised by a shiny thing and completely failing to ask the right questions.
These get-rich-quick / lose-weight-fast vendors are distracting us from the fact that security is little more than bloody hard work. It’s a non-stop commitment to doing the right thing in the right way, then trying to do it better the next time. And the time after that…
There wouldn’t be any of these ‘silver-bullet’ products developed if we weren’t buying them! Even if were being generous and assumed these vendors actually had the best of intentions, their products would still fail to produce anything like the results they promise. There promises are no different from the weight loss pills that show dramatic results, but fail to tell you that it ALSO requires you to exercise 4 hours a day, stop drinking, and eat nothing but healthy low-sugar foods. You would have lost the weight ANYWAY if you’d just put the effort in!
Your results may vary… yeah, no sh!t!
Second – Run a risk assessment and a control gap analysis;
Third – Fill as many gaps as you can with changes to people and process; and
LAST and least – Determine IF there is a technology out here that can fill gaps with your fully defined functional needs.
Did your eyes glaze over reading that? Wasn’t even remotely sexy, was it? Sounded like a lot effort, right? Crap analogy: You want to run a marathon, you need to train for 6 months to get in shape. Want to maintain that shape, you run a few miles each day. There are NO shortcuts.
To be honest I’m not sure why I even wrote this blog. Those who don’t care won’t change, and those who already agree don’t need convincing. Hell, I can’t even get my own clients to take this seriously. I have quite literally wasted 4 hours repeating things I have said a thousand times because I loved the title. Thanks again Gareth! 🙂
So, like people who only start taking care of themselves after a heart attack, most organisations won’t take security seriously until after they’ve been breached. Then, instead of starting from scratch and doing things properly, they throw money at the issues hoping they will sort themselves out. That money invariably goes on new technology that can never fix the root cause. But it did get their attention.
Anyway, if I have stopped just one person throwing away thousands on technology they can’t manage, maintain, or monitor themselves, I will consider this time well spent.
I work in security, I have a naturally low bar for success.
[If you liked this article, please share! Want more like it, subscribe!]